Debian and CVE compatibility

Debian developers understand the need to provide accurate and
up to date information of the security status of the Debian distribution,
allowing users to manage the risk associated with new security
vulnerabilities. The Common
Vulnerabilities and Exposures project (CVE) enables us to provide
standardised security references that allow users to develop a
CVE-enabled security management process. CVE provides a list of
standardised names for vulnerabilities and security exposures.

The Debian project believes that it is extremely
important to provide users with additional information
related to security issues that affect the Debian distribution.
The inclusion of CVE names in advisories helps
users associate generic vulnerabilities with specific Debian updates,
which reduces the time spent handling vulnerabilities that affect our users.

The availability of common security references also eases the
management of security in an environment where
CVE-enabled security tools such as network or host intrusion detection systems,
or vulnerability assessment tools are already deployed regardless of
whether or not they are based on the Debian distribution.

The Debian project has added CVE names to all the security advisories (DSA)
released since September 1998 through a review process started on
August 2002. All of the advisories can be retrieved on the Debian
web site, and announcements related to new vulnerabilities include
CVE names if available at the time of their release.

The Debian Security Tracker
has the canonical list of CVE names, corresponding Debian packages, Debian
Security Advisories and bug numbers. It can be searched on package name
or DSA/CVE name and contains data since the release of Debian Woody.